AOL Security Compromised by Teenager

Freaky_Friday wrote with a link to an InfoWorld article about a teenage kid accessing customer information at AOL. The alleged criminal trespass began late last year, and extended up through early April. According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems. "The complaint states that Nieves admitted to investigators that he committed the alleged acts because AOL took away his accounts. 'I accessed their internal accounts and their network and used it to try to get my accounts back,' the defendant is quoted as saying in the complaint. He also admitted to posting photos of his exploits in a photo Web site, according to the complaint ... If the defendant was honest about his motivation in his reported confession, it's safe to assume that he wasn't interested in stealing data for financial gain, [Managing director of technology at FTI Consulting Mark] Rasch said. Still, it'll be interesting to find out what steps AOL is taking if customer data was in fact compromised, he said."

Hmmm

[NightWulf]

Kid must be pretty smart if he was able to hack AOL's servers. *Reads article* Ohhhhh to get his account back...hmm forget it.

Re:Hmmm

[SteveD3]

One wonders exactly what tools he used. I mean it isn't like AOL is just sitting there open.

Re:Hmmm

[real+gumby]

Kid must be pretty smart if he was able to hack AOL's servers. *Reads article* Ohhhhh to get his account back...hmm forget it.

Hey, his friends were laughing at him because he was sending mail with lower-case letters!

Re:Hmmm

Well there have always been tools out there to hack AOL, some of the more notorious were AOHell and WAAS (We are all sinners), LOFT even had a whole series of tools for AOL. Most of them just contained a lot of script kiddy stuff but there were some others that gave you shell access to the network about 10 years ago or so AOL was really like a pretty face over a custom IRC type network. If you could drop down out of the pretty face and get to the raw shell which was only really only protected by the fact that the pretty face was there and most AOL users were too dumb to realize that there was something going on under the AOL screen. You could peek around, but then once you got yourself an overhead account you really could run through the system at will. While I imagine it has improved over the years I am guessing a lot of the base code and concepts of the network are there still.

Re:Hmmm

[Profane+MuthaFucka]

me too

Re:Hmmm

If I recall it wasn't to many years ago this was a common practice... AOL has always been renowned for its security!

Re:Hmmm

Yeah, great, that's really helpful. I bet the kid used something closely related to 10-year-old tools that drew hands in AOL chatrooms flicking the room off. I'll bet AOL hasn't improved their security since 1997 either. Thanks for the insight.

Re:Hmmm

ME TOO!!

> Kid must be pretty smart if he was able to hack AOL's servers. *Reads article* Ohhhhh to get his account back...hmm forget it.

Re:Hmmm

[ehrichweiss]

How dare you misspell the name of one of the greatest organizations ever. It's L0pht.

Re:Hmmm

And how dare you mispronounce it. It is pronounced l-zero-p-h-t you ninny!

Re:Hmmm

...the zero is silent.

This is news?

[Zeebs]

I mean I won't even go with the obvious AOL bashing. But is it really news that Teens are committing computer crime? Isn't that the stereotype? The pimple faced dateless wonder in his parents basement 'pwning' the 'g1bs0n'?

Re:This is news?

[Zeebs]

And just cause that's autobiographical doesn't mean anything mods!

Re:This is news?

[j_presper_eckert]

I heard that he was attempting to send some obscure command to the AOL servers: "Execute Order 66".

For his age-frame, I think he'd have been better off trying to go three integers higher.

Of course, for that you have to leave the basement eventually. Gotta leave that womb-like comfort to obtain...uh...some *other*...womb-like comfort...oh, never mind.

Re:This is news?

[nmb3000]

But is it really news that Teens are committing computer crime? Isn't that the stereotype?

Exactly! The only feasible solution is to add Hot Pockets to the same over-the-counter blacklist that NyQuil and such are on. Anyone who goes to Costco and buys a case of Hot Pockets is obviously a criminal.

Re:This is news?

[Lost+Engineer]

Me. I pwned Compuserve.

Too early for internets as a teen. By the time they got it together, I'd lost interest.

Re:This is news?

[fafalone]

Well, the fact that this is news can mean only one thing; AOL has massively overhauled their security system and now has state of the art, well designed, and highly effective security. Because the AOL I remember had its security severely compromised by teenagers several times a day. Serious breaches too, read my other post in this thread. It happened so incredibly often, there's no way a breach would be national news. So logically, if its now rare enough to be newsworthy, they must have stopped the endless onslaught of easily exploited holes...
...because a journalist would never just write up a non-story to insult AOL or do some "omg haxors" fearmongering... never...

Re:This is news?

[8ball629]

lol, Hackers was on last night :)

Re:This is news?

[Ash+Vince]

Me. I pwned Compuserve.

Thats because your old. :)

Off the shelf hacked software?

According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems.

I've never heard of AOL software referred to like that before. Sure I was thinking it.

Curious....

[ScottKin]

I, for one, would like to know why he lost his original AOL accounts in the first place.

Hacking, maybe? ;)

ScottKin

Re:Curious....

lololololololololol,

ScottK, the masta of webnut: HAX TEH n00bZ! A0L 4 LYFEEEEE1!!!!!!!111!!1!1

Seriously, how are the kids? The #newgrounds.com bastardposse sends their luvz.

ph33r #allah, #muslims and #kike.

WE SHALL PWN AGAIN.

Re:Curious....

[ScottKin]

Ah, yes - the typical response from the mental midgets.

Who are you tasting these days?

And of course, they are such friggin' cowards that, of course, they choose to be a coward of the anonymous kind.

Enjoy your ignorance, fscktards.

--ScottKin

I remember...

[firpecmox]

I tried to hack someone once but that damn 127.0.0.1 was behind a firewall and it just messed up my computers

Re:I remember...

[Workaphobia]

I know what you mean. I was once after this guy at ::1 but IPv6 is unhackable, you know? I felt bad too, because when I couldn't do it, the guy in the mirror started looking at me funny.

Re:I remember...

Shut up I hack you!!!

Re:Some of us say why others say why not?

Nah, they'd rather squeeze some change out of him.

Re:Some of us say why others say why not?

[dreamchaser]

No, we need kids who don't go getting their accounts cancelled then break the law trying to get them back. We need kids who think up positive creative solutions to problems and aren't malcontents. He *should* face criminal charges. If he was banned wrongly there are other avenues to pursue. Not punishing him would just encourage others to do the same type of thing.

Suuurrree

[FalleStar]

Among his alleged exploits:
* Accessing systems containing customer billing records, addresses, and credit card information
* Infecting machines at an AOL customer support call center in New Delhi, India, with a program to funnel information back to his PC
* Logging in without permission into 49 AIM instant message accounts of AOL customer support employees
* Attempting to break into an AOL customer support system containing sensitive customer information
* Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors

Yeah, sounds like he was JUST trying to get his account back alright.

Re:Suuurrree

[VirusEqualsVeryYes]

Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors

You'd think employees of an ISP, who routinely warns its customers about it, would be wise to rudimentary "attacks" like phishing scams.

Re:Suuurrree

[ShaunC]

You'd think employees of an ISP, who routinely warns its customers about it, would be wise to rudimentary "attacks" like phishing scams.

You'd be surprised. Back in the late '90s, when phishing first became a problem on AOL, they went so far as to modify the Instant Message window so that it contained a disclaimer, in very obvious red text, saying that no one from AOL will ever ask for your password. Believe me, very few people paid attention to that warning.

I recall sitting in the nerve center chat with the likes of VARST, UTRST, JXRST, etc. and having the occasional moron walk in trying to phish in the chat. They didn't generally last long, but I also have seen a VARST operator type his password into the chat. It's sad how easily some (high-level) employees can be socially engineered. That's what you get when you hire Joe Regular into an enterprise position and you don't give him adequate training.

Re:Suuurrree

[paeanblack]

* Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors

Unfortunately, this kid's command of the English language was no better than that of "Bob", who sits three cubicles down. To "Jim", the two were indistinguishable. It's no wonder "Jim" got phished.

Ah, the joys of going multinational.

Re:Suuurrree

Dear VirusEqualsVeryYes (981719),

We have recently discovered some strange activity on your Slashdot account. Please print and fill out this form, and mail it to the below address to verify your identity.

1. Full Name and Address _____________
2. Bank account number ________
3. Bank account PIN _____
4. Age (Date of Birth) _________
5. Contact phone number __-__-___
6. Country ______
7. Occupation _______
8. Sex ___
9. SSN ______

Please mail completed form to:
Slashdot account verification department,
P.M.B. 0038
Bauchi
Federal Republic of Nigeria

Re:Suuurrree

[robbiethefett]

AOL is an isp? my elected official told me it was the point on the intarweb in which all the tubes met. he also assured me it was most certainly not a pickup truck.

Re:Suuurrree

[ConceptJunkie]

You'd think employees of an ISP, who routinely warns its customers about it, would be wise to rudimentary "attacks" like phishing scams.

I can tell you from personal experience that you'd be wrong. And not just because we are talking about AOL, but this will be true in any large company.

Re:Suuurrree

Uh, no?

If he spoofed/faked/compromised e-mails from people in management, I don't know why an employee would think it was fake. If you got an e-mail from your boss, would the first thing you think of be "this must be fake"?

Re:Suuurrree

Wow I cannot believe they still haven't secured those type of accounts or limit what they do.

Back in the days as a youngster I used to survive on AOL accounts just to get on the internet, well one thing led to another and you start getting deeper with different accounts because it catches your curiosity/power.

Specifically there were 'CAT' accounts that were one of the ultimate to get a hold of; it usually would take a list of about 100 regular AOL name/password to get one of the CAT accounts which required a username/password but later they added a 4 digit pin to enter after that. Well all we had to do was alter the web form and add an additional field just asking for their 4 digit pin. Still same old type of social hacking going on and that amazes me that they are still able to do this; especially since chat channels specifically 'phish,phish2,phish3,etc' on AOL were always full of people advertising hundreds of accounts and dozens of CAT accounts for many years until they closed them with the warnings of reporting you to the CAT team. The IRC channels were more toward Credit Card fraud and other crap which I would not touch with a 10 foot pole.

Re:Some of us say why others say why not?

[corychristison]

If only it worked that way...

In high school I was 'banned' (really they revoked my account... problem is they left the Administrator account without a password on the local system -- idiots) from using the schools computers because I had ssh'd into my home system and was fiddling around. Obviously because there was a command line involved, I was 'hacking.'

Why?

[flyingfsck]

If he had internet access already, why on earth would want an AOL account? Just a schtoopidttt script kiddie...

Article is Loaded with Errors

Mike aka Virus is far misrepresented by this article and the (at least) two others about this. AOL did not track him down by themselves, he was snitched on by a fellow member in the 'aim scene'. Causing $500,000 in damage by logging onto internal and overhead accounts to suspend and unsuspend account, way to try to make a case for yourself AOL. If anyone in this case needs to get in trouble it is AOL. AOL completely fails to train their employees against social engineering techniques, therefore their own employees are really the ones accountable for any customer information being revealed. AOL is notorious for exchanging favors for information on exploits and snitching on your "friends".

To quote the article:
"AOL has had pretty good security over the years."

This is a massive error in any credibility on AOL's part. Within the past 6 months there have been countless exploits in their systems including the ability to register accounts that were 1 or 2 characters long, register accounts of names that were already in use, including over registering internal accounts and accounts such as "AOL System Msg", the ability to register accounts with vulgar and racist words in them via non-American AOL sites, and thats just to name a few off the top of my head. Currently there is still a major issue with accounts having more than one working password.

I could go on and on about the flaws of AOL, but why bother, they know that the flaws exist but instead of tying to fix them they bury them by going after the people who find them, and leaving the holes still in their systems.

Re:Article is Loaded with Errors

AOL completely fails to train their employees against social engineering techniques, therefore their own employees are really the ones accountable for any customer information being revealed.

Entirely incorrect. AOL teaches all its new hires about various social engineering attacks. I know, I was forced to sit through it on my first day as an employee. And they remind people about it at least as much as anywhere else I have ever worked.

Should they do even more? Maybe so. But the fact is that the people themselves get lazy, or they get access for whatever reason that they probably shouldn't have. That's one reason I ignore all attempts for developers to get access to production databases... they don't generally know squat about security. They care more about meeting their deadline, or making their own lives easier. Unfortunately, someone in Operations either screwed up themselves, or they caved into pressure to allow one of the idiots in Dev or one of the "support" teams to have production information. *sigh*

At least when dev complains on Monday that they don't have access to my database, I can point at an article when I tell them to stick their request where the sun doesn't shine.

Re:Article is Loaded with Errors

I have documentation of events going back quite a ways. Emails showing over 3500 internal desktop compromises alone over a one year period of time. When I say "desktop compromise", I mean they were infected with a trojan via a directed attack for the sole and explicit purpose of accessing AOL's networks (as opposed to most trojan attacks designed to create ad hoc botnets).

The mental midget that performed the "Paris Hilton phone hack? He was caught because AOL handed over the evidence against him. AOl was investigating him for years -- mostly for his repeated intrusions into AOL's networks and systems such as "Merlin". Why keep quiet and not prosecute? Hmmm... good question. *grin*

One time thing?

[Perseid]

If security is this bad is it too off the wall to suggest that this may have been done before by people who have it in their best interests to keep quiet about it? Scary stuff.

Job Postings

In Related News. AOL is looking for a software engineers and it people to combat a variety or threats to its systems and users. They use many Open Source projects and a variety of exciting opportunities just opened up.

Re:Some of us say why others say why not?

[rmadmin]

ohhh. Been there, done that. NCSA telnet on an old skewl mac to my box at home on dialup. Monilith dynamic dns. Except I was "Playing games" not hacking. Sadly, that teacher is still teaching Claris works or some crap like that while I manage the ISP division of a Telco/CatTV/ISP. *yawn*

Okay, so lets think about this for a minute

[zappepcs]

Freaky_Friday wrote with a link to an InfoWorld article about a teenage kid accessing customer information at AOL [CC]. The alleged criminal trespass began late last year, and extended up through early April. According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems. Okay, so a script kiddie hacks AOL servers and Diebold builds really bad voting systems. Which one is worse? Technically, if all that's said so far is true, the kid probably belongs on a security team at AOL. He at least knows enough holes in their security to cause them no sleep for months. Perhaps that should be the entirety of his punishment: help AOL fix their holes for free.

On top of that, lets have AOL users now hold the board of AOL responsible until they show they have fixed their security issues. If a 'teenage kid' can hack their security, why should any AOL user remain with them? If they fail the post remediation testing, penalize them financially.

Re:Okay, so lets think about this for a minute

Thats just it, AOL doesn't fix their holes, and Virus was by far not the first to do this, its been happening for over a decade, he just got sloppy. And to those referring to him as a script kiddie, he was definitely beyond that stage.

Re:Okay, so lets think about this for a minute

[Virgil+Tibbs]

he used off the shelf hacking tools - I take it that means somthing off sectools.org depending on which it was - it could mean anything but although he does know the holes better that AOL's team i think AOl's security team should just stop driking coffe and have a go at hacking their own systems and hang out on #cracking-aol-with-no-speacialist-knowledge

Re:Okay, so lets think about this for a minute

[Tuoqui]

Slavery is illegal. Fixing all of AOL's security holes would require him being there for a lifetime. I'm not condoning what the kid did... well ok maybe in a roundabout way. AOL should fess up that their own internal security is not as good as they would lead everyone to believe. It sounds like their Security Team is not doing nearly as much penetration testing as they should be. You want good penetration testers hire the kid on instead of frying his ass in court. Obviously if you give the kid a check and a contract and let him hack in the direction of your servers 24/7 if he wants as long as he reports the vulnerabilities to your security team it sounds like it'd work out for everyone involved. Of course I havent read the article so I dont know exact details of said hacking so maybe what the kid did isnt exactly conductive to giving him a job.

Re:Okay, so lets think about this for a minute

[KTorak]

Why would a 'hacker' be using AOL (dial up i presume - who pays for high speed AND AOL?) to access the internet? Wouldn't he be a little more sophisticated and have DSL or cable? If you get banned, more on to a better ISP, end of story.

Re:Some of us say why others say why not?

[Zantetsuken]

I guess you missed the part where it said "off the shelf hacking software"

Just because you can click yes all the way through installing something on Windows doesn't mean the NSA should hire you to harden the Linux or BSD kernels they use on their systems...

This kid's a punk.

He might have been ratted out by his hacking crew, but he deserved it. He is a jerk, special ed all his life for anger issues. And it wasn't just AOL, so that BS about "just trying to get my account" back doesn't fly. The jackass was so freaking high on himself that he would use social engineering to gain access to companies databases, then send screen caps to the FBI. Including his aim handle. Which he also had on his myspace page. Dumbass.

Re:This kid's a punk.

[imunfair]

That may be true, but it doesn't change the messed up nature of how our society treats people who crack their systems. Yes, there should be consequences - but part of those conseqences should be requiring the crackers to help the victims clean up and secure their systems. What good does it do if a kid hacks government agencies, then just gets thrown in jail. It isn't a productive use of his skills, and the government servers sit there unfixed for the most part. (government is just the extreme example - AOL and pretty much any other situation could fit into the same boat - especially when they are corporations/governments with pathetic security, not just some zero-day that happened to get through before it was patched)

Re:This kid's a punk.

[techno-vampire]

It isn't a productive use of his skills...

What skills? Lusers like this have no skills, just programs they found somewhere. They have no idea how the programs work, couldn't write one if they did and have minimal computer skills. They're just young punks doing the computer equivalent of spray-painting graffiti, or tagging.

Re:This kid's a punk.

You do realize that you can't go out and find a program for messing with AOL, we write our own.

Re:This kid's a punk.

[aguenter]

Not trolling here, but, if someone gets imprisoned for stealing and stripping automobiles, they should be hired by their local Goodwrench service center as a master mechanic?

I don't think a life sentence is in order, but there has got to be some accountability for actions taken. I mean, by your line of thinking, why would you even interview for an IT position anymore? Just find an exploit in a prospective employer's system and run with it. Once you've caused thousands of dollars worth of damage and compromised clients' personal/confidential data, your worth will be noted and an offer made.

Doesn't this somehow send the wrong message?

Re:This kid's a punk.

[imunfair]

Not hiring them, at least initially - more like community service - the cracker would have to spend a certain amount of time helping the company. After that point, if the company felt they could trust the person, sure they could actually offer to hire them.

Frankly, hiring crackers would be the best thing AOL could do, considering their incompetent programmers and security procedures. I'm familiar with AOL, and although their security has gotten better in some slight ways over the past 7 years, it's remained mostly the same, and in some ways is even worse.

Here's a perfect example: they used to store encoded md5 hashes in your registry - now they just encrypt them. Why would you store someone's password unhashed client side, that's just asking for a worm with a password stealer. That's the least of their problems. When a kid can VPN into your internal network, and actually use it for something 'useful' you need some major outside security help from whoever you can get it from.

Re:This kid's a punk.

[techno-vampire]

There are programs and scripts out there to break into various types of computers. I'm sure this jerk just used whichever ones he could find until one of them worked,then started messing around. That's how this type of thing almost always goes. If he'd had the skills to do this without help, do you think he'd have bothered with AOL?

Re:This kid's a punk.

[aguenter]

I'm not disagreeing with the reality of the matter. I am however disagreeing with the example that is set in the process.

Alternate thread title...

"AOL pwn3d by script kiddie. World laughs (harder)."

Re:Some of us say why others say why not?

[TubeSteak]

He *should* face criminal charges.

Yes

If he was banned wrongly there are other avenues to pursue.

This is AOL we're talking about.
In what bizarro world does AOL have good customer service, such that they'd investigate and remove a ban?

What are these other avenues?
A civil lawsuit?

Re:Some of us say why others say why not?

[aussie_a]

Steve Jobs was a script kiddie? O rly?

Re:Some of us say why others say why not?

[Scoth]

I was in high school from 95-99, so the internet revolution/everybody having a computer thing went from just getting going to the beginnings of big time. Almost every single time I mentioned I was into computers to anyone, the first question was always "Are you a hacker?". Anytime I did anything other than load Word, Solitaire, or Netscape, someone would ask me "Are you hacking?". It all got old very quickly. I used to prefer an auto-hiding taskbar, and they almost permanently banned me from the library computers for "hacking" when I turned it on for the hour or so I had alloted to me at the time. As it was, I kept their computers running pretty much single-handedly (county IT dept was useless, and the only other student that was at all techy like me had already screwed up his chances by using his access to steal teacher/student private information) so I wasn't too worried about getting banned.

Incidentally, they were all Windows 95 boxes with some pretty bad security software on it. I found at least two ways through it - the fun one was they didn't lock down Winkey-F. Search on the program you wanted to run, and run it. Likewise, you could load an "approved" program, pull up the Open File dialog, and find the program in there and run it. The other way was Winkey-E. It would pop up a "You don't have permission to run this program" error. Hold it down and the screen filled with them very quickly. Eventually, Windows ran out of memory, Explorer crashed, and it would automatically repop without the security software there. Voila.

So, I guess I was kind of a hacker. Oh well :)

AOL?

[Infonaut]

What is this AOL you speak of?

This is news?

[Bob+Cat+-+NYMPHS]

Who DIDN'T own AOL when they were a teenager?

Re:Some of us say why others say why not?

[zakezuke]

If he was banned wrongly there are other avenues to pursue.

Save switching ISPs, not really. AOL's support is pretty bad. For example mail to aol wouldn't parce out names with periods in them.... I.e. John E. Hancock.

Ya..

[msimm]

you're new here aren't you. (:

Uh, "hacking crew"?

You make it sound as if they had a clue. These are just a few k1dd13z doing the kind of shit which only k1dd3z do.

They believe that they're "special" because they did it, all the while not realising that anybody can do it, but it's just that only retarded k1ddi3z are actually bored enough, or have the time to waste to do something as lame and loserish as "hack" AOL.

In other news...

[thib_gc]

Other shocking headlines: "Ape defeats security of Diebold voting machines"

Re:In other news...

[robbiethefett]

"Further investigation reveals that the alleged Ape was actually Steve Balmer, who is now President of the United States. When asked to do something about it, congress said 'we will work on a plan for a timetable to remove Balmer from office within 24 months, but there is little we can do.. he's just going to veto it."

Re:Some of us say why others say why not?

My high school had windows 95 machines that were imaged from a server on a regular basis, so I had no qualms about pointing out security problems by placing notes in C:\ and after a month with no change to security, I'd format the box.

They started running Fortress but you could still open up apps like Word and get to the system information tool where you could run other applications from- similar with netscape- just configure a helper application for some odd protocol and try and go to a site with that protocol and bam your program runs.

I also discovered a loophole with their digital card catalog system (green screen terminals) that allowed me to outdial from their interlibrary connection system. I don't remember the exact mechanism, but if I had to guess, I think I let it dial the other library, then just did +++ATH0 and then dialed to wherever I wanted to dial. I think I only used it to dial up my local shell account (local call)- in theory, though, I could have called anywhere, I don't think they had it hooked to the PBX.

Anyway, I didn't count myself a hacker, but I did find a couple ways to end run their security so I could do day-to-day (for me, ~1996) things like check email that nobody else really did.

I both hated and loved high school.

Re:Some of us say why others say why not?

[Trentus]

Last year (my final year of school) I found that if you yanked out the network cable when it said "applying security settings", it wouldn't apply the group policy. It was rather handy, because one of the things we had disabled was right clicking... nearly drove me mad that did...

Re:Some of us say why others say why not?

I didn't say that Steve Jobs was a script kiddie. What I said was that we shouldn't just stamp out the spark in this kid by sending him to jail or even charging him with a crime. Society is made far better when brilliance is recognized and properly used, i.e. for tasks that are legal. And for those of you who voted me a troll, fuck you, o knuckle dragging cavemen.

Same old same old

[ShaunC]

From the perspective of someone who was in that scene more than a decade ago, it's enlightening to see how much of this is still going on. I don't see where in the article it says he used "'off-the-shelf' hacking software," but I guess these days it doesn't take much talent.

I remember when the phishing trend started. AOL's biggest mistake at that point was creating a special People Connection lobby that overhead/internal accounts would default to. Initially, it was just a private room whose name changed occasionally (who else remembers THEBLIMPSAIDITALL, and numerous incarnations of IllIlIIlIIlllIlIIlI...?). Anyone who knew the name could get into the room with any regular account, and phish privileged accounts to their heart's content. Eventually AOL made some progress and created a viewruled lobby, which they assumed would keep the riff-raff out, but they forgot to plan for the fact that the riff-raff already had access to privileged accounts.

In the early to mid 90s, there was no such thing as phishing. If you wanted privileged access, you had to work for it, and it was a thankless (but sometimes rewarding) task. There were a handful of folks - okay, probably a few handfuls, maybe numbering in the tens - who spent their free time doing real hacking. Those of us on the Mac side were busy poring over logs from Serial of Champions, reverse engineering the client-server communications. Through trial and error, we determined that every client request would send a two-character "token" and an argument to match. For example, double-clicking a message board to open it up might send the token "mB" with the message board's ID as the argument. Using the Keyword feature would send a Kk token, that's the only one I still remember for sure.

We eventually compiled a list of the various "tokens" that made up the AOL protocol, and what they did. There was a developer's client extension that allowed for sending arbitrary token/args, and like most things inhouse, it was leaked to a few people. This gave some of us the ability to do things nobody else could. Way before AOL ever introduced "Mail Controls," for instance, we were able to reject mail from specified users. The feature had been built into the system from the beginning but had never been released to the public (IIRC, the then-system-devs didn't even know it was possible). We'd stumbled upon the feature by sending random tokens to the server.

Here's a funny story about how something went from blackhat to implemented feature. At some point I discovered a token that would refresh the client's installed list of screen names. Basically, if you had AOL installed on multiple computers, or had multiple copies of the client on one machine, the list of your available screen names would inevitably become outdated across clients: if you created a new screen name on one client, then switched to another, the new name wouldn't show as a sign-on option. Likewise, if you deleted a screen name while you were logged in from one machine, that name would still (incorrectly) display as available on another machine. There was no way to synch up the list of names, so if you created screen name FoobarMan on machine A, the only way to sign onto it from machine B was to reinstall the client.

Well, I found out that if you sent a certain token to the server, it would force a client-side refresh of the screen names on the sign-on list. Having legitimate access to publish things - did I mention I was not only a haxx0r, but also remote staff - I created a little form with a link that would send that token, thus refreshing the client's list of screen names. I passed it on to a TechLive friend who started giving it out to members who were having this (common) problem. Eventually someone inhouse got wind of it. I got reamed, my creation was removed, and a month later a shiny new feature appeared at keyword: NAMES... "Refresh Screen Name List."

Go figure. :)

Accessing member information is hardly anything new. AOL has a customer management system

Re:Same old same old

[fafalone]

Well it sounds like I was in "the scene" a year or two after you. We took the token thing to a whole other level. Tokens are a small part of the scripting language AOL runs on, FDO. Thanks to some leaked internal documentation and lots of trial and error, a small group of us became quite good with FDO and could pretty much run amok among every resource on AOL. We wrote programs that automatically mapped the tens of thousands of objects; every mF token (forms), and my personal project, every eB token, which were the file libraries. Not only could a normal user invoke an eB token for a beta library, we could obtain staff only files too. The eB libraries didn't contain customer billing records, but they did contain internal operations documents, alpha release software, staff tools, and all sorts of other goodies. Mapping the tokens unleashed the real power of FDO; imagine having a list of every single window that made up the AOL software including ones you could not get to from a non-empowered account, and then being able to view the source code for that window and then having complete control of that code locally. While I wasn't involved personally, I believe one exploit that descended from that power was the ability to bypass the SecureID (a physical device with a code that changed every 60 seconds) of internal accounts by recoding the entry window to behave as if it was entered. And of course, countless ways to terminate or take over normal accounts and access billing systems (I never messed with anyone elses account or info, of course in part due to the legal risk, but mainly because I actually did have morals as a young teen, and I was in it for the challenge, knowledge, and yes the glory and fame that came with being among the first to harness the power of AOL's internal language, which made us the elitest of the elite among the AOL programmer/hacker kiddies).
I won't go into much more detail, but good ole star tool (as it was called, adding a menu titled * that gave any account a direct interface to the internal FDO scripting) led to countless exploits for the small group of people able to take full advantage of it (i.e. it was significantly harder to interface with AOL through FDO than the Visual Basic programs everyone with half a brain flooded the scene with). Some of the more ambitious exploits made the news; I recall one time the leak of the next version of AOL months before it was even supposed to enter early beta got a mention in a major news outlet; while it wasn't me that leaked it, I was the one who found the eB library where it resided and passed along the token to those who did make it public. OpsSec (operations security, the highest level of AOL network security staff) knew us by name, and terminated my access more than a few times. It was really cool stuff, especially for a kid. I don't know if newer AOL software still allows clients to use tokens and other FDO code, or if AOL figured out how to secure privileged resources from those who could program in it, but back in the day security was so poor that our group of 10-13 year olds walked in and out of staff resources like they were our own personal playground.

Re:Same old same old

[ShaunC]

I think we were marginal contemporaries. If I have it right, y'all were doing "invokes" (like 32-41908) while the Mac side was busy sending token/args. Yes, I remember the * menu on WAOL. Its equivalent on the Mac side was the "Bullet Menu," named for the fact that instead of being a *, it showed up in the menu bar as a bullet (cmd-8 on a Mac).

FDOs and atoms were the Windows side of things. Your mention of OpsSec brings up another anecdote. There was an internal account, "NOC Nodes," run by network ops. I once created a fake account with the screen name "N0C Nodes" (november zero charlie Nodes) and IM'd a friend with his full phone number. The poor bastard logged off and wiped his hard drive. It only became a joke years later when he forgave me.

Fun times. :)

Re:Same old same old

[fafalone]

First we documented all of the tokens with just invokes yes; but from there we went on to writing our own windows and modifying the behavior of existing windows, working with every part of the FDO stream, not just the token invokes. If I remember correctly, the invoke menu command was only for invoking mF tokens anyway. That's all people could do before my time, where learning how to use all the other FDO commands was made possible by a internal documentation of the entire FDO language, a large manual covered in "CONFIDENTIAL" and "INTERNAL USE ONLY" stamps. Just invoking an mF token for a form would display the graphics and such, but if you really wanted to do something worthwhile, invoking that token was only the start of a stream. FDO has hundreds of commands besides invoke; we figured out how to do entire streams using all the commands, atoms, etc. Too bad I'm traveling with my laptop right now, I have hundreds of custom FDO scripts and documentations in my storage archives back at home. But anyway, FDO was an entire language, invoke was just one command, once one knew the entire language a whole new world of possibilities opened up that you could never accomplish with a simple invoke. I'll share another OpsSec story. My account got terminated for no good reason, so I called up the support line (CAT i think) and asked to be transferred to OpsSec. I was told no such department exists. I asked to speak to a supervisor, since granted a low level support peon might not know about it. The supervisor also told me it didn't exist. I explained in great detail why I knew it existed, and was then told 'well, you're not speaking to them' and got hung up on. So I started digging around all the internal documents we had, and in a couple hours came up with a phone number for OpsSec. I called them up, and right after I said hello, they called me by my handle, told me my account was killed for hacking, and told me knock off the token scanning and stop harassing tech support. First time I ever talked to someone who worked for AOL that actually seemed like an intelligent person who knew what was going on, and how I found out the highest levels of the company were actually worried about what we could now do with FDO.

Re:Same old same old

[8ball629]

Oh man, this is some good stuff. I'm gonna go read my programming books :).

Re:Same old same old

[madsheep]

I can tell you about a whole bunch of fun tokens. :P Is this AFC ShaunC and/or FiIe? wow.. memories.

Re:Same old same old

I think it was f2, if you mean the star menu "Invoke" command. Oddly, it didn't use FDO (just a straight byte dump) while f1/t1/etc used FDO commands.

Re:Same old same old

[ShaunC]

Yes, that's me... If I knew you back in the day, get in touch. :) http://shat.net/contact.php is at least marginally likely to be read. Anything else is hit or miss.

Re:Same old same old

[ShaunC]

Jesus H, at least I can tell you're the real deal. Now I'm going to have to go through every CD in my possession, looking to see whether or not I have some old backups of all the AOL shit. I'm fairly certain that it's all been lost to time (many priceless screenshots included) but damn if I could stumble across an archive.

Re:Some of us say why others say why not?

[golgoj4]

you know, if I had mod points I would throw some your way. Yeah he needs to be punished, but I think a fine line between punishment & use of his knowledge would be fine. Alienating people doesn't seem like such a good idea. Maybe put him in sort of community service type of position where he can see a benefit when actually contributing as opposed to just wreaking havok. But my whole opinion really hangs on his reasons for doing what he did. if his intent was as he says, why not try to bring him into the fold? Not without some penance of course...

As the saying goes...

So easy to hack, no wonder it was done.

(easy pun, doh!)

AOL deserve everything they get

[smoker2]

A year or so ago, a relative had their credit card details "lifted" while conducting a transaction over the phone with $retailer. This only became obvious when his monthly credit card statement showed payments to AOL. He called the credit card company to get the payments stopped and refunded. This took place but AOL continued to take the payments. The police were asked to intervene, but even though AOL must have had an address linked to the card details (AOL accounts require a landline don't they ?) they claimed that they couldn't say which account the credit card details were linked to, and refused to help any further. So, more digging by the police eventually found the original culprit had been working telesales at $retailer (strangely enough he no longer worked there and the police were "unable" to give out his details).

Fast forward to this year, and I got charges showing to AOL on my statements. As I have not used AOL for over 10 years (OK, I was a newbie and it seemed better than Compuserve) I was a bit annoyed. Got the charges reversed and asked for the account linked to my card to be canceled. AOL basically said (once again) sorry, we can't do that because we don't know who the card details are linked to. Next month arrives, AOLs payment disappears from my account. I call the bank again and get the charges refunded and ask them to make sure that AOL doesn't get to bill me again. They suggest that I call AOL to sort it out. So, after 45 minutes on hold, I get to talk to a call centre goon, who after much personal digging of my identity, tells me the only way to get the charges canceled is for me to send copies of relevant bank statements and identity documents and credit card numbers to their operations centre in the Netherlands.

Yeah right !

I'm trying to stop a fraud, not propagate another one ! Needless to say, I didn't send those details, and fortunately the bank now seems to have prevented the charges from re-occurring.

In conclusion, FUCK YOU AOL

Re:AOL deserve everything they get

[cdrguru]

Sorry, but this is a new feature with credit cards. Once a reoccurring payment has been authorized, canceling the card does not make it go away. You have to get the merchant (AOL in this case) to stop the charges.

Why is this happening? Well, finally after taking up the back end for so long, merchants got their act together and got the credit card companies to accept this. It has nothing to do with your bank, it has to do with Visa, Master Card and the others. What this means is that you can't sign up for some easy payment plan where they charge your card multiple times to get something and then cancel the card. You undoubtably have seen the ads on TV where you can get something that costs $300 but they charge you only $75 four times. Well, plenty of people figured out after they had the goods all they had to do was cancel the card. Worked really well, too. Too well. They got the stuff, and the merchant ended up losing $225 on the deal.

AOL probably cannot look up an account by credit card number, at least not through "normal" means. Yes, someone could sit down and hand-craft some SQL to find the account but you don't let call center people even try to do that. So your mistake was probably trying to deal with someone in the call center below a supervisor level to begin with. They can't help you and will never be able to. A supervisor probably can't help you either.

Unfortunately, these days the folks on the phones are trained that the supervisors are busy people and to never, ever bother them no matter what the customer wants or needs. Often the supervisor or 2nd level are in a different location as well. This makes it even more fun for the customer with an unusual request.

Security Campaign

[8ball629]

So much for AOL's security ad campaign...

Re:Some of us say why others say why not?

[Grimbleton]

I got banned from school computers for the last three quarters of my high school career for FTPing some papers I wrote to my personal website so I wouldn't have to find a floppy (Didn't have a USB drive at the time; too cheap to buy one) to revise them at home. I even explained what I was doing, and they had a small "meeting" while I finished up, without even going across the hall and grabbing the school's IT guys for a second opinion. Their conclusion? I was trying to upload a virus to the network. Apparently that's what you do in Microsoft Word these days.

Re:WTFPL 2.0

[WrongSizeGlass]

0. You just DO WHAT THE FUCK YOU WANT TO. I want to delete your asshatian post, but since your charming recommendation only covers copying, modifying and redistribution I'll just have to use Nature's delete button ... alcohol.

LOL

[madsheep]

Well it is funny to see AOL is now increasingly going after these kinds of people. If you search the past news, you will find one or two other cases of this. However, this is going on much more than you think. Not to mention it has increasingly gotten harder to successfully conduct such attacks. AOL didn't even used to use SecurID or any other form of hard token to protect this sort of thing in the past. Now even with these sort of security measures in place, they are still getting beat up badly. If you have an AOL account, there's not much to stop a determined whacker from getting your information and/or your account.

There aren't enough facts available to judge whether AOL could have done more to prevent the alleged intrusion. "We'll learn more as the case goes on," he said. "AOL has had pretty good security over the years." Mark Rasch is a smart guy, but I will have to respectfully disagree with his last quote there. I think if you ask a number of the people coming out of the woodwork to post here, they will agree with my above statements and mirror my disagreement here. Unfortunately it is not too hard to go look and see from web postings how poor AOL's security really is. You will find screen shots from AOL employees programs with all kinds of customer account detail to include Screen Names, Name, Address, Phone Number, last four digits of payment method, and more. Talk about a lack of privacy.

AOL, so easy to hack

[Khyber]

No wonder it's #1!!!

More to the point

[koan]

If he was doing it with script kiddie stuff then how many other "pros" are doing it and not getting caught?
Has anyone seen a lawsuit where an user can sue AOL or some other corp for not adequately protecting their info? If it can be proven that the exploit was a known exploit then it seems to follow you could sue them for not protecting the info.

Why AOL?

[RockoTDF]

If this kid is such a "hacker" why the hell is he using AOL?

tag?

[mstahl]

Why isn't this tagged 'pwnt'?

I watched a friend 0wn AOL in the mid 90s

I think everyone 0wn3d AOL to some degree back then. I remember watching a friend use a CC# generator to make up fake credit cards and register fake AOL accounts. And using some weird Mac utility to hide his porno in various random folders (inside some game folder, I think, with either saves or game files or something).

Funny thing was, it took me a few more years to comprehend what I saw him doing at the time, but I did enjoy reading his books on all the screwball things you could do with Apple computers. I liked making invisible folders with spaces for a name (or giving them names and using them to spell out silly messages).

Heh, that brings back old memories...

Customer privacy vs. great experience

There seems to be a fine balance between the need for companies to gather customer data, so they better understand their needs and tailor the user experience, and the possible risks with collecting and managing all of that information. It can be pretty tricky for organizations to convince customers that the collection of data is ultimately a mutually beneficial exercise. I just saw a cool VOD of the CIO of Circuit City and Tom Ridge (ex-Secretary of Homeland Security) talk about how the government and the corporate world deal with thee issues. Check it out at www.cioleadershipforum.com